Defeating a 40-year-old copy protection dongle
dmitrybrant.com464 points by zdw 11 hours ago
464 points by zdw 11 hours ago
These dongles used to be ubiquitous and they broke all the time.
As a young intern, I arrived early one morning to find the PCB layout software (PADS PowerPCB) on our "design PC" wasn’t working. (I use quotes because it was just the beefiest machine we had, naturally our boss’s PC, which he kindly shared)
Obviously the dongle. I tried unplugging and replugging it, with and without the printer daisy-chained. Nothing.
So I begrudgingly asked my colleague who’d just arrived. He looked at the dongle, looked at me, looked at the dongle again, and started laughing.
Turns out our Boss had stayed late the previous night processing customer complaints. One customer had sent back a "broken" dongle for the product we were selling. Boss tested it on his PC, found it worked fine, and mailed it back on his way home.
Except he didn’t send our dongle back. He had sent my PowerPCB dongle. More fun was had when the rest of the team and finally our boss arrived. Luckily he took it with good humor.
Many a crack back in the day was even more simple still, we'd just find and alter the right JE or JNE into a JMP and we're off to the races. As the author found, the tough part is just finding and interpreting where and how the protection was implemented. If throwing the exe in a hex editor gave you access to String Data References (not always the case, but more common than not) then you'd just fail the check you were trying to skip, find that string, hop over into assembly to see what triggered loading that, and then just alter the logic to jump over it when the time comes.
Many years ago I was a technician supporting a few custom programs on thousands of PCs. The developer of one of these programs had added a date check to his code so the program would refuse to run after a set date and each new release would increase this date by a few months so it would stop working after a few weeks if he ever stopped creating new releases. His contract ended and a few weeks later his software, now relied upon by hundreds of sites, stopped working. The contract for the software development was thoroughly checked and legal action against the developer was started but I asked to see if I could resolve the problem in the meantime.
It only took ten minutes with a dissassembler to find the JGT (Jump if greater than) and convert it to a JLT so the software would stop running if the date was before a certain date rather than after. I created a patching tool that simply flipped one bit that was sent out to all the sites and everything was good again. I don't think I'll ever beat the elegance of a single bit flip hack.
There's a lot of things going on that lead to this.
One, the developers spend more time running this code than we do, and they have to get the program working before we can even use it. So any parts of the program that are hostile to the developers risks killing the entire project. Obfuscating the copy protection can hit a point where it makes bug fixing difficult.
Two, lack of training. If you, me, and Steve each have a bag of tricks we all use to crack games, whichever one of us figures it out gets bragging rights but the game remains cracked. Meanwhile Developer Dan has to be aware of all the tricks in all of our bags together if he wants to keep the three of us out. Only there's not three of us, there's 300. Or today, probably more like 30,000.
Three, lack of motivation, which is itself several different situations. There's a certain amount of passive aggression you can put into a feature you don't even really want to work on. You can lean into any of the other explanations to defend why your code didn't protect from cracking all that much, but it's a checkbox that's trying to prove a negative, and nobody is going to give you any credit for getting it to work right in the same way they give you credit for fixing that corner glitch that the QA people keep bitching about. Or getting that particle animation to work that makes the AOE spells look badass.
I remember an icon editor (or something similar) for Windows 3.1, it was a shareware where you could enter a code to remove the nag screen. No crack was necessary, I basically managed to enter valid registration codes by just typing random numbers. In the end I had enough valid numbers that I could figure out the logic, it was something about the sums of digit groups.
I remember I had some demo software that could be enabled with a code. I was just curious and at the code prompt, I entered the debugger. I dumped the process space and there was a nul-terminated string of letters and numbers. I restarted the process and entered them at the prompt and voila, it was enabled.
(I did go on to pay for the software)
> Many a crack back in the day was even more simple still, we'd just find and alter the right JE or JNE into a JMP and we're off to the races.
I did that with dBASE III, which used ProLok "laser protection" from Vault Corporation - a signature burned onto the diskette with a laser. Back then, I found it amazing that Ashton-Tate actually spent money to contract with a copy protection company for something that could be so easily defeated by a teenager reading assembler.
They could have easily just written the same kind of code themselves. An example of the power of marketing over substance.
I was able to replicate that protection mechanism just by scratching a diskette with a pin. The "laser" was a meaninglessly advanced-sounding solution that added no value compared to any other means of damaging a diskette.
I remember doing something similar with Lemmings 3D. You could simply NOP over the JMP into the copy-protection subroutine. It was surprisingly easy.
Made me feel like such a badass hacker at 15 years old.
When I was 10 or so, I "cracked" Slam! Air Hockey for Windows 3.1 by opening the exe in EDIT.COM and replacing some random binary garbage with spaces. After a few attempts, I managed to bypass the shareware dialog but also introduced some weird bugs that I don't recall the details of.
"Cheat enginge"
This was one of those things you really really wanted but once you toyed with it, it sucked the fun out of games and they felt pointless.
Was ist ever confirmed that it was in fact a laser? I wanted to make a trivia question out of this ProLok protection, because “lasers for copy protection” sounds just weird enough to potentially be a nonsense answer without context, but I couldn’t confirm that the holes were indeed made with lasers, and not with other means.
Good question. I don't know the answer, but I'm quite certain that it didn't really matter what mechanism was used to mark a diskette. Any damage would be equally strong as a way to detect copying.
> I was able to replicate that protection mechanism just by scratching a diskette with a pin.
How did you figure out where to scratch it? Was the laser mark visible on the original disk, or did you have to read the code and orient based on the diskette's index hole?
Yes, it was apparently very visible: https://martypc.blogspot.com/2024/09/pc-floppy-copy-protecti...
But as I mentioned in a sibling comment, I’m not sure it was ever confirmed that it was really a laser that made that mark.
I described two different scenarios: defeating the protection, and replicating it, e.g. to protect your own software without paying Vault for their "laser" protection.
Defeating the protection didn't involve knowing anything about the laser mark - as the comment I replied to described, it just involved changing a conditional jump to an unconditional one.
Replicating the protection involved causing minor damage on the diskette - the details don't really matter, laser, pin scratch, whatever - then formatting the disk, and registering the pattern of bad sectors created by the damage. A normal copy of the disk didn't replicate those bad sectors exactly, which made it possible to detect that the original disk was not present.
Ha! I remember disk copy programs which read these bad sector patterns and then replicated the error pattern in software (not on physical disk obviously).
Similar stuff was later used for CDs IIRC.
I write civil engineering software [0] and am familiar with this kind of dongle. Yes, even today there are users who want this kind of dongle instead of, say, cloud-based validation. They feel secure only if they have something tangible in hand.
Since we sold (and still sell) perpetual licenses, it becomes a problem when a dongle breaks and replacement parts are no longer available. Not all users want to upgrade. Also, you may hate cloud licensing, but it is precisely cloud licensing that makes subscriptions possible and, therefore, recurring revenue—which, from a business point of view, is especially important in a field where regulations do not change very fast, because users have little incentive to upgrade.
Also, despite investing a lot of effort into programming the dongle, we can still usually find cracked versions floating online, even on legitimate platforms like Shopee or Lazada. You might think cracking dongles is fun and copy protection is evil, but without protection, our livelihood is affected. It’s not as if we have the legal resources to pursue pirates.
[0]: https://mes100.com
> You might think cracking dongles is fun and copy protection is evil, but without protection, our livelihood is affected.
I understand you might feel this way, but it seems to me customers are mostly business clients, who would are more inclined to spare the expense of purchasing said licenses, since they're not personally buying it themselves, and would want to have support and liability (i.e: Someone to hold liable for problems in said software.). In fact, having no copy protection would probably have saved you the problem you mentioned where a dongle breaks and replacement parts are no longer available; this is one of the talking points that anti-drm/copy protection people advocate for, software lost to time and unable to be archived when the entities who made such protections go out of business or no longer want to support older software.
> even on legitimate platforms like Shopee or Lazada.
On a slight tangent, but I personally don't find either platform legitimate (Better than say, wish[.]com or temu, but not as "legitimate" as other platforms, though I can't think of a single fully legitimate e-commerce platform). Shopee collects a ton of tracking information (Just turn on your adblocked, or inspect your network calls. It's even more than Amazon!), is full of intrusive ads, sketchy deals, and scammers. You yourself said you can easily find cracked versions of the dongle there, which doesn't speak well for the platform. And Lazada is owned by Alibaba Group, which speaks for itself. I'm not sure why consumers in South East Asian regions aren't more outspoken about this, since they seem to be the some of the more popular e-commerce platforms there.
>business clients, who would are more inclined to spare the expense of purchasing said licenses, since they're not personally buying it themselves, and would want to have support and liability (i.e: Someone to hold liable for problems in said software.)
This is a nice idea but the reality is that there's MANY corporate customers who are happy to get away with casual piracy. Sometimes it's a holdover from when the company was small enough that every business expense is realistically coming out of their own pocket, sometimes they're trying to obfuscate how much their department actually costs to the company at large.
You think individual consumers lie to themselves to justify software piracy? Corporate self-deception is a WHOLE new kettle of fish.
I can tell you that piracy in the corporate world was RAMPANT in the ‘90s. I made a nice sum of money back in the day as a freelance auditor for companies trying to get their legal ducks in a row. Productivity software like Lotus, WordPerfect, Word, Excel were just mass installed off one license because there was no product activation keys or any sort of license validation methods.
Dongles were pretty commonplace on your more expensive software products from mid 90s through the early 00s. If I was publishing software that was a >$1000 a license, I damn sure would have used them.
Even at a simple level, if it's between spending weeks going through purchasing or not asking too many questions and getting on with it. I can see a lot of people choosing option B.
Yeah case in point - how many people actually pay for Visual Studio? You're supposed to if you're using it for commercial purposes but I don't think I've ever seen a commercial license used (though I don't do a lot of Windows work tbf).
You’re using “spare” incorrectly. It means to avoid. “Spare the expense” means to avoid having to pay for the license. Which seems to be the opposite of what you are saying.
“Spare the money” is probably what you mean. That is to part with the money, to avoid having it, for example by spending it. Or by giving it away - As in “can you spare a dime.” The is the inverse of sparing the expense, just as an expense is the inverse of money.
Yes, I meant to say "spare no expense" (though it isn't a drop in replacement, the sentence would need to be restructured slightly).
> Yes, even today there are users who want this kind of dongle instead of, say, cloud-based validation. They feel secure only if they have something tangible in hand.
In my experience this continues to this day due to people who require drawing on air-gapped computers, because the drawings/simulations they work on are highly sensitive (nuclear, military, and other sensitive infrastructure).
But I'm sure there are also old-fashioned people who like the portability/sovereignty of not having to rely on a third-party license server as you suggest.
What's old fashioned about not having your business ability dependant on the vendors crappy cloud license check?
> from a business point of view, is especially important in a field where regulations do not change very fast, because users have little incentive to upgrade.
Why should users upgrade or keep paying you when they already bought what they need and don't need anything else?
Because
1. Physical dongle tends to break, and when it does, they expect us to give them replacing parts
2. They do expect bug fixes-- especially calculation bug fixes-- as the bugs are discovered. It's hard to leave their production critical apps broken like that once you know that the bugs can cause monetary or even life loss.
Wanting to say in business makes sense, bug fixes make sense.
But the actual dongle... look, something like that should have a 30+ year warranty. There should be a plan for how to replace it a couple times before making the initial sale.
They actually have this solved with iLok... You can move the license to new dongles at will. And they have a relatively inexpensive annual service where they'll issue you temporary licenses for what was on the ilok while you ship it back the defective dongle to them. Mostly used for DAW software and plugins, but apparently a few other things have used it for licensing.
> Why should users upgrade or keep paying you when they already bought what they need and don't need anything else?
Because things evolve and inevitably, hardware dies, and you can't get a replacement.
With an old "dumb" piece of machinery, when something breaks you can either repair the broken part itself (i.e. weld it back together, re-wind motor coils), make a new part from scratch, have a new part be made from scratch by a machining shop, or you adapt a new but not-fitting part. It can be a shitload of work, but theoretically, there is no limits.
With anything involving electronics - ranging from very simple circuitry to highly complex computer controls - the situation is much, much different. With stuff based on "common" technology, aka a good old x86 computer with RS232/DB25 interfaces, virtualization plus an I/O board can go a long way ensuring at least the hardware doesn't die, but if it's anything based on, say, Windows CE and an old Hitachi CPU? Good fucking luck - either you find a donor machine or you have to recreate it, and good luck doing that without spec sheets detailing what exactly needs to be done in which timings for a specific action in the machine. If you're in really bad luck, even the manufacturer doesn't have the records any more, or the manufacturer has long since gone out of business (e.g. during the dotcom era crash).
And for stuff that's purely software... well, eventually you will not find people experienced enough to troubleshoot and fix issues, or make sure the software runs after any sort of change.
Hey, fellow civil-engineering-software designer here! [https://www.anadelta.com/en/anadelta-tessera/] Same story, same problems with dongles, perpetual & subscription licenses.
My dad used to use this kind of dongle for a civil engineering program called 'Cosmos'. Just wild to see it, it was so annoying to because sometimes it would simply not be detected on our 80386.
The problem seems the sales model rather than the dongle:
1) a hardware and software solution implies that hardware will stop working at some point. Customers should understand it 2) you could sell them a new dongle every time support contract ends which is what I’ve experienced with Xways as an example. Even if you’re air gapped once a year usage data upload and new dongle seems fine. 3) why should users receive free upgrades and bug fixes? No software is bug free.
Finally there are several brand protection shops that fight fakes and work well with Shopee, Lazada, Facebook etc. It’s not five dollars but they will take these down effectively
The model you are referring to works fine when the industry is expanding and/or legal entities turn over eventually.
Which is not uncommon.
It’s also one that is typically pretty good for customers that like to do an investment and then continue to reap benefits from it. The capitalization model.
The ‘lease’ model (SaaS) is good for customers with highly variable licensing/software needs or that expect extremely high turnover, and prefer to see these costs as, essentially ‘cost of production’. The cash flow model. It does require a lot of trust, however, that when the lease comes up for renewal the fees won’t be usurious.
Neither is necessarily wrong. A whole lot of folks are starting to realize the downsides of expenses coming out of cashflow though! And losing a lot of trust.
> which, from a business point of view, is especially important in a field where regulations do not change very fast, because users have little incentive to upgrade
This take is diametrically opposite to what end users need. In a world where "if it ain't broke, don't fix it" is perfectly fine for the end user, buying a one off license for a software seems much more sane then SaaS. SaaS is like a plague for end users.
I don't condone piracy, but I also don't condone SaaS.
In a perfect world, I would have agreed with you, even if it's diametrically opposite to my interest as a software developer cum business owner.
But in an imperfect world whereby our dependencies ( software components that we use) and platforms that we need to build/rely on ( like Civil 3D) do charge us on annual basis, and that some of users expect perpetual bug fixes from us, with or without a support contract of sorts, SaaS seems to only way to go for our sustainability.
There's gotta be better middle ground. Release something polished and only fix major bugs/vulnerabilities for free (because that's a liability). Minor bugs are accepted for a one off cost (I'm still using Microsoft 2016, e.g.).
We've all got to push back against these bloated saas models that don't bring tangible benefits to end users and serve only to pad company valuations. Make new versions of your software with features meaningful enough to encourage people to upgrade and outline support periods for existing software sales after they buy a one-time license. There's gotta be a better way. For everyone (except big tech CEOs).
> Release something polished..
That's why software keep adding bloat fancy buttons and change color scheme every few years. This is anti-productive.
Just charge for support, or if that is too harsh. If that is too harsh, charge for upgrades (but give point/minor bug fixes for the version they have for free).
No support contract? Pound sand.
This sounds good, but in the real world it leads to massively upset customers.
The problem exists from both sides of the coin. Firstly the bulk of customers don't purchase a support contract. So there is very little income to pay staff. So the "support" department has very few people. They're also not very good because low wages means staff turnover.
Then Betty phones with a problem. Significant time is spent explaining to Betty that we can't help her because she (or more accurately her company) doesn't have a contract. She's fighting back because an annual contract seems a lot for this piddly question. Plus to procure the contract will take days (or weeks or months) on her side. And it's not I any budget, making things harder. Betty is very unhappy.
The junior tech doesn't want to be an arsehole and it's a trivial question, and is stuck in the middle.
We switched to a SaaS model in 2011. Users fell over themselves thanking us. They don't have to justify it to procurement. The amount can be budgeted for. No sudden upgrade or support fees. Users get support when they need it. The support department is funded and pays well, resulting in low staff turnover, and consequently better service.
Plus, new sales can stop tomorrow and service continues. Funding for support remains even if sales saturate the market.
Consumers may dislike SaaS, but for business, it absolutely matches their model, provides predictability, and allows for great service, which results in happy Users.
If a user gets ongoing value from software it makes sense for them to be willing to pay ongoing for that value. What users need is that the value they get from a product is more than the money they are trading for it. A one off license would be the result of a race to the bottom due to competition.
Because I ate food each day between 1 July 2013 – 31 July 2013, I didn't starve and die. I am receiving ongoing benefit from not being dead. Should I continue paying for all that food?
No, since that food no longer exists. There's nothing the food creator can do. They can't cause it to spoil after you ate it. The massive benefit of not dying allows the price ceiling of food to be very high. But within society there is a lot of competition for nutrients which prevents food from reaching such heights.
So when I buy a CD, I can install the software, and then grind the CD into powder, and since what I bought no longer exists, I can stop paying?
Well the software could disable itself when you stop paying. You stop paying for the value, the software stops providing you value.
Sure, if there is increasing or evolving utility being offered. But it’s also fair to charge for upgrades in that case.
If I get ongoing value from my fully paid off car, should I keep paying the OEM? How about my house or my bike or my shoes? My toilet (huge ROI on this one)? My fridge?? Why do we feel that software gets to impose this ridiculous SaaS model? The only real answer is "because they can", not because it's helping anyone.
Reality is that many modern software developments have plenty in common with designing a toilet. You spend time identifying the problem statement, how you can differentiate yourself, prototype it, work out the bugs, ship the final product, and let sales teams move the product. The difference is the toilet can't be turned into a SaaS (yet) and, if it ever could, that would break functionality because you're supposed to poop in it, not have it poop on you.
I think it would be fair to keep paying for a car, house, bike, shoes, toilet, and fridge. If I'm still using such great products, why not reward the creators of them. But as a consumer I am also price conscious so if a competitor can offer an equivalent product for cheaper I will go with them.
There are arrangements where you continue to pay for cars and houses without owning them. They're called leases and rental agreements. They typically cost a lot less for the consumer than outright purchases and at the conclusion of the lease/rental term the consumer is free to return the car/house to its owner without compensation for depreciation or wear & tear (though car leases usually impose mileage restrictions and routine maintenance requirements).
Rental cars and houses do exist, but you could still have fully owned cars and houses whose doors lock without paying a subscription. It doesn't have to be the full thing either. Certain tiers could disable only air conditioning for example.
Seriously, I have a house full of appliances, tools, clothing, and so on, that I get "ongoing value" from and whose manufacturers don't have the gall to try to charge me monthly for. Totally unacceptable business model.
As long as no one expects updates and ongoing support beyond some pre-agreed time.
The issue is a mismatch of incentives - customers wanting things for free - even if they aren’t actually customers. Vs businesses need/want for ongoing revenue (ideally for free too!).
Both sides are never going to be perfectly happy, but there are reasonable compromises. There are also extractive abusive psychos, of course.
Yeah, Software protection was very naive in the beginning. Fun fact: I owned a windows 3.11 for workgroup UPGRADE disc collection, it was clearly explained and also enforced from the setup installer. So, no previous installed win 3.0 == upgrade installer will fail. The fix: just create an empty Textfile named win.com at any place - the installer simple scans the WHOLE disk just for this existing filename. Next fun fact: in reality, the Upgrade contained the full installation, no only a delta. Men, software was so simple these days....
I have a childhood memory of my dad buying a shrink-wrapped copy of the Windows 3.1 Upgrade that was supposed to allow any installation of "3.0 or earlier" to become Win 3.1. it turned out when we actually tried it it only accepted 3.x though. [1]
I think he ended up pirating a 3.x install from a friend and running the upgrade on to of that; felt pretty morally clear given what the box had advertised.
> I must say, this copy protection mechanism seems a bit… simplistic? A hardware dongle that just passes back a constant number?
Seems like it was an appropriate amount of engineering. Looks like this took between an afternoon and a week with the help of an emulator and decompiler. Imagine trying to do this back then without those tools.
Audience matters. Something intended to stop legitimate business consumers in a non tech industry requires substantially less sophistication than something built to withstand professional reverse engineers.
Locks are there to keep honest people honest.
To expand on the saying, they're not there to be insurmountable. Just to be hard enough to make it easier to do things the right way.
And often they’re there so no one can plausibly say they didn’t know what they were doing or stumbled into it accidentally. You can’t “accidentally” go through a door with a padlock on it.
I’d guess it’s something similar with this dongle. You can’t “accidentally” run the software without the dongle.
Copy protection was also generally less robust for educational software, since it sold to generally law-abiding folks (parents, educators, etc.). Never saw Rapidlok or V-MAX! used for educational software on the Commodore 64, for example.
These days there would be an Aliexpress listing selling fake dongles within a month making it easy for the business customers too.
Iremember doing exactly this kind of hack for a small telco in Bueno Aires. Extel. Around the year 2000.
In most cases it was not much more difficult than what OP described.
I worked on some software that was used by telcos around that time - you were probably hacking our dongles :)
In fairness, the decompiler didn't work on the protection method :)
I think that both halves of the author's thesis are true: I bet that you could use this device in a more complicated way, but I also bet that the authors of the program deemed this sufficient. I've reversed a lot of software (both professionally and not) from that era and I'd say at least 90% of it really is "that easy," so there's nothing you're missing!
Yeah, my IT company bitshifts suspect files and provides the magic number.
The protection just needs suficirntly complex.
Back when I was a kid in the 80's. I cracked one of the Ultima games. I had it on my hard drive and didn't want to stick a floppy in every time I ran it.
The code decrypted itself, which confused debuggers, and then loaded a special sector from disk. It was a small sector buried in the payload of a larger sector, so the track was too big to copy with standard tools. The data in the sector was just the start address of the program. My fix was to change executable header to point to the correct start address.
Of course it used to be simple in the earlier days. It got way better and fast with HASP and alike in the mid 90’s. I specifically remember software that kept a portion of its data in the dongle memory with good anti-debugging techniques too. But even the hardest protection would take a week to break at most.
Tell that to the crackers who worked for over a year to simulate a social network in order to finally crack the game Red Dead Redemption 2, which had a very custom game protection implemented by Rockstar. Also to this day there is no crack to Diablo 3, famous for being single player but with online verification. You can create very hard to crack protections quite easy if you employ self-modifying code techniques. Do you have any idea how hard is to debug code that overwrites itself in memory and that cannot be patched by modifying the existing code from disk? The reason why this is not more common is because the more iterations you do, the harder is to create those iterations, which means you add a lot of time to create the protection which means that you need to have a finished code, and code is always modified by production team, so managers see this overtime unnecessary.
Very cool to read an article about windows 95 still being used in production - a nice contrast to the infinite AI hype cycle over everything. Tech may move fast in flashy areas but not in the more "boring" parts of the industry.
I knew of a Windows 95 host running virtualized in a corp environment until at least 2014 or so. It was surprisingly sturdy, I only had to remote into it once or twice when the old software it was running hung up on something. It was old medical software and we apparently had a couple clients still interfaced to it.
The screenshots show the program was made for DOS. Very likely Windows was used just for network file sharing.
There are subtantial amounts of large industrial processes still in operation using equipment from the late 19th century.
Do you mean 20th? Even current looms, steam engines, stills aren't from the 18 hundreds
No, I do mean the late 1800s. Operations processing "low level" materials like agricultural, steel, and mining.
Win95 is only 30 years old and runs natively on some modern hardware.
Apparently there is important stuff still running in emulated PDP-11s, almost double the age.
It needs quite a few fixes to even run in a VM. But it can be done: https://github.com/JHRobotics/patcher9x
This post doesn't go to to great detail, but seems to run natively:
https://www.reddit.com/r/windows/comments/1n1no1k/august_202...
It might be possible to use the rest of that RAM above the 4GB barrier as a ridiculously fast RAM disk, with an XMS driver like this one:
Yes certain software for Canadian made nuclear power plants, comes to mind. Was a post on the VCF forums about a job listing that required PDP-11 knowledge.
The company i work at has the same problem. We have some old mission-critical windows 2000 pc that runs the rpg compiler, with attached dongle. This gave me some clues on where to start - thanks author!
Is defeating a 40-year-old copy protection mechanism still illegal under Section 1201 of the DMCA, or have they changed the law to make an exception for "very old" software?
Once it hits 70 years from the lifetime of the author (so probably another 80 or 90 years from now) and is in public domain, that might change things since there will no longer be copyright being protected.
In terms of copyright terms, this software is still pretty young, not even halfway to public domain. It's disrespectful to call it "very old".
> I must say, this copy protection mechanism seems a bit… simplistic? A hardware dongle that just passes back a constant number? Defeatable with a four-byte patch?
Nowadays we don't bother with copyright protection other than a license key, because we know enterprises generally will pay their bills if you put up any indication at all that a bill is required to be paid.
This was basically the 80s version of that.
Tangential to this was the existence of California Software Product's "Baby/36" software. My father was a 36/400 programmer and sysadmin, and in his spare time used Baby/36 to write software for local businesses. I have vague memories of parallel port dongles being involved back then too. Don't think he mandated their use, was more a "framework" requirement.
The fact that the software and hardware is evidently still in use at some companies gives me pause about whether releasing it in a cracked form publicly after having published it on a personal website would be a good idea.
Software companies love to milk enterprises for all their worth, because they're the entities who will pay the most amount of money if it means that the software they use can still work - and a big part of how they do this is via vendor lock-in. We can see in this article that this company was still using Windows 98 - they're clearly locked-in!
All of which is to say that this intellectual property might actually still be owned by a company who'll be able to sue.
If you haven't already checked whether the patent and other intellectual property is still owned by any company, OP, I would strongly suggest doing so first.
Another poster found grabs of the company's website on archive.org. The last date it existed to be grabbed was in 2001. I think the OP is fine on this one.
Other than that, there's virtually no mention of the company or software anywhere online. Just to put that in context, I'm in the vintage computer / software community where thousands of amateur historians and archivists scour obscure corners looking for old, unknown software apps to preserve. Software sold for Windows 98 up to 2001 (so recent as to barely be considered 'vintage') with so little online footprint means it must have been incredibly obscure. No ads or reviews from magazines or even newsletters means there's a good chance it was a one or two person part-time, home-based business and the product had hundreds or maybe even just dozens of users.
1998-2001 was the hottest time ever for PC software. I worked in marketing Windows software during this period. To have any commercial Windows software product actively available for sale in the late 90s with no surviving footprint would almost require intentional effort to stay unknown. No press releases mailed. No review copies sent. No shows or conferences attended (exhibitor listings are searchable online now). There were much older niche vertical software programs for much more obscure platforms which we know sold less than a hundred copies ever, yet still have a larger online footprint than this program. The OP de-protecting and archiving this previously unknown commercial program represents quite a notable find in the preservation community.
For some reason, Reko was not able to decompile this code into a C representation
That's likely because it's one of those (of which many existed) which attempt to dumbly pattern-match against what a typical C compiler of the time (with equally dumb and extremely inefficient code generation) would do, but that routine clearly looks like handwritten Asm. I've never seen a C compiler from that era generate a LOOP instruction, for example, and of course "cli" nor the I/O instructions are not expressable except perhaps as intrinsics. Ghidra might be a bit better at this, as it's a generalised decompiler.
In fact, when the compiler (RPGC.EXE) compiles some RPG source code, it seems to copy the parallel port routine from itself into the compiled program.
This reminds me of the classic Ken Thompson attack.
This takes me back. There exist emulators for these dongles as well, you run the a dumper with the dongle attached and load the program and it makes a dump file which you then use in the emulator.
I had to do this for a company so they could continue to use their old specialised Win98 software on modern computers using Dosbox and an emulator.
I was hired in the early 90's by a collection of franchises for a home care company. The privately owned head office self-developed and distributed required monthly updates to the only software franchises were permitted to run their business. The monthly updates (floppies) reset the license for another month at each location. After years of problems, poor support, and in a couple cases offices getting shut down because head office just "didn't like them anymore", they banded together to sue the owners (one of which developed the software). I did IT work for a couple of the offices and was already familiar with maintaining the software / systems. They hired me to bypass the licensing code which was a lot of fun to figure out. In the end I wrote a DOS based license generator each office had that could update their software by just getting a code over the phone for the upcoming month (or any date for 365 days). A few years later once the lawsuit settled and the company broke apart we issued a patch for the software to remove the license check completely. I should fire up DOSBox sometime so I can play with that old software again.
Often these dongles were just a single resistor 'circuit'
I wrote RPG II code in the 80s and helped the company I was working part-time for transition to another one of these S/36 emulation environments on the PC in the 90s. The software we used was made by the very generically named California Software Products.
It worked well enough and allowed the company to run until the founder retired and folded the business.
This is kind of like archaeology - just, software archaeology.
I remember reading an ad in one of the 90s PC magazines that attributed the dongle to an inventor named “Don Gull.” I was fortunate enough to never have to use a hardware dongle, but I remember hearing about their persistence into the twenty-first century. I would imagine that most of them were as ridiculously simple as this one was.
>The only evidence for the existence of this company is this record of them exhibiting their wares at SIGGRAPH conferences in the early 1990s, as well as several patents issued to them, relating to software protection.
There is also their webpage for ordering PC RPG II. The company address is a residential house.
https://web.archive.org/web/20010802153755/http://home.netco...
Apparently there is a Noel Vasquez, now in his late 80s, living at that address. Might be the guy to contact for further information, if he's still around.
I think I remember hacking some of the copy-protection out of a version of Tetris using the Borland debugger. I definitely patched mouse support into a Chris Crawford "Battle of the Bulge" game using it (for my rather tricky platform). That was a good debugger, and probably the last one I have used much - prefer logging/printing for stuff I write myself.
I remember my Dragon 32 (6809, Color Computer clone) had a dongle you plugged into the joystick port to protect a really crap game - Jumping Knights? I never tried to defeat it.
As a hardware guy I would first start with opening up the dongle, but hey! Still very curious to see whats inside!
I always thought the internals were encased in potting compound for these things to prevent exactly this scenario (certainly the ones I had for LightWave back in the day were)...
Fun hack, sure, but why on earth isn't the focus on porting the accounting data to a new, currently supported accounting system?
Cracking this dongle; wouldn't this be a federal offence in the US?
Not being snarky - genuine question! I am not from the US :-)
Yes and in every country that adopted a copyright treaty with the US, so all of them except China
wow, the home accountant is basically the great-grandfather of everything we do in modern financial and actuarial modeling. dmitry's breakdown is like digital archeology.
it’s wild to think about the hardware risk people used to accept putting your entire household's financial history on a system that bricks itself the second a 40-year-old plastic dongle fails. really great read.
Fun journey! It would be fascinating to see what's inside the dongle. I wonder if it's programmable or just a simple circuit.
Yes, a neat follow-up would be to clone the copy protection device with a cheap microcontroller. A lot of these devices were filled with epoxy, but it would be funny to find out these were all just 1Kbit EEPROMs. Such an article could give some background on parallel port communication, EEPROMs, and how regular printer data was passed through.
So what hardware would be inside the dongle? Would a small PAL be enough? 22V10? Maybe use a few registers to delay the values written by a few cycles, mixing in some decode logic? (Something cheaper than a microcontroller, I'm guessing... due to cost)
I designed a security dongle a long time ago ... Used properly, it did rotations and XORs like a CRC. You could definitely make it hard to defeat but it was still ultimately deterministic.
My father, an accountant, used to have a program like that, that used RPG and a dongle! Good times. Horrible donle.
>Very importantly, there doesn’t seem to be any “input” into this routine. It doesn’t pop anything from the stack, nor does it care about any register values passed into it. Which can only mean that the result of this routine is completely constant!
This is circumventing an effective copy protection measure, a federal crime under 17 U.S.C. section 1201. I see the developer is from Boston, so falls under U.S. jurisdiction and thus has committed a felony under U.S. federal law.
> Is this really worthy of a patent?
You have no idea how deep this rabbit hole goes.
Patents are barely better than copyright, as far as society net-positive.
And they probably could've just used Neverlock Business which cracks zillions of programs.
Why wasn't (isn't) this more widely used? It was clearly more effective than a cdkey.
I know there is cost associated with the hardware, but surely the costumer can cough 15 more dollars.
The only reason I can think of is wanting as wide adoption before max revenue as possible. But then, this has never been too popular, not even for games!
Dongles were extremely widely used in the 1990s and early 2000s; for anything more advanced than consumer software you'd almost expect them? Almost every DAW, video editor, high-end compiler, engineering/CAD package, or 3D suite used them, certainly.
I think sometime in the late 1990s FlexLM switched from dongles to "hardware identifiers" that were easily spoofed; honestly I don't think this was a terrible idea since to this article's conclusion, if you could reverse one you could reverse the other.
But this concept was insanely prevalent for ~20 years or so.
One of the biggest problems was not having enough ports. Some parallel port dongles tried to ignore communication with other dongles and actually had a port on the back; you'd make a "dongle snake" out of them. Once they moved to USB it was both easier and harder - you couldn't make the snake anymore, but you could ask people to use a hub when they ran out of ports.
> I think sometime in the late 1990s FlexLM switched from dongles to "hardware identifiers" that were easily spoofed; honestly I don't think this was a terrible idea since to this article's conclusion ...
Starting in '97 I worked on some software that used Elan License Manager (elmd) that then moved on to FlexLM in a major release.
Requests for, and problems with, licensing were a considerable source of support tickets but I'm sure it also drove a reasonable amount of sales as customers wanted to play with component X but were prevented from doing so by a lack of license.
When we were acquired by IBM we replaced the licensing code with lawyers and (threats of) audits. It didn't seem to harm the revenue. The product is still being maintained and sold.
> ... if you could reverse one you could reverse the other.
I can confirm it was quite easy with gdb to either skip past the license checks or, in the case of Elan licensing at least, call the license generation function from within the binary to generate whatever licenses for whatever features you liked.
The "hardware identifiers" were a nightmare too. I ended up writing some code that would pull all of the necessary information (primary MAC, IP address, hostid for Sparc machines, hostname, etc) and give it to us in a base64 encoded blob, we also grabbed some CPU and memory information that proved quite useful in seeing how the software was deployed.
P-CAD even had a dongle-caddy where you could plug in I think about 7 of them into to unlock different modules.
I will check if I can find an image of it.
EDIT: here is an old listing of it: https://www.ebay.com/itm/187748130737
Sadly the lid isn't open so you can't see what modules are installed.
One problem is that they often couldn't be daisy chained, the connector on the back was only useful for an actual printer. So if everybody started doing it you would have to swap them constantly which is a headache. So they're mostly used for software where it's going to be the only thing running on the box.
I find it interesting that they didn't make it into the USB era where you could easily have something that does some actual processing on the device that makes it a serious challenge to reverse engineer.
They did carry over into the USB era! I specifically remember my stepdads copy of Cubase (music production software) requiring a USB dongle to open.
Ditto - and there's also the "iLok" dongle used by loads of virtual instrument & effects plugins for DAWs.
I could have sworn, back in my day, on WinNT4 we successfully chained a red and white pair from Autodesk. One for AutoCad, and either Mechanical Desktop or 3ds Max.
Having to put a physical device on your parallel port at the back of the computer is kind of annoying, especially if every software you use has one.
More common for games was to use the media itself for copy protection, using a variety of tricks to make copy more difficult. Other techniques involve printing some keys you have to enter using colors that don't render well in photocopies, or have you look at words a certain page of a thick user manual, the idea being that it is more expensive to go through the effort of copying this material than to buy the software legally.
One of my favorite is from Microprose games, for which the manual was a pretty good reference book on the subject of the game, that alone is worth buying. And the copy protection is about asking you about information contained in the book, for example, it may be some detail about a particular plane in a flight simulator, which means that a way to bypass copy protection is simply to be knowledgeable about planes!
Dongles were common, but mostly for expensive enterprise software. Also, dongles don't make cracking harder compared to all the other techniques, so for popular consumer software like games, it is likely to be a lot of inconvenience and a waste of money for limited results.
Partly it was an anti-Wobbler thing. Someone in America or somewhere thought it was real clever to make the game ask you little questions, like “What’s the first word on line 23 on page 19 of the manual?" and then reset the machine if you didn’t answer them right, so they’d obviously never heard of Wobbler’s dad’s office’s photocopier.
-- Only You Can Save Mankind, Terry Pratchett, 1992
Makes me sad how many person-years of effort have been wasted over the years on futile dongle-engineering, copy-protection and DRM. They're pretty much all cracked. And the industry keeps insisting on trying!
It was widely used in engineering software because the license cost was equivalent to a large fraction of an engineer's salary. Anyone who used AutoCAD back in the 90s can remember.
When parallel ports were discontinued, they migrated to USB and network license servers.
A company I worked for in the mid-80’s used a PC based CAD package with this kind of copy protection. IIRC the cost of the software was about $5K, and engineers using it probably made around 50K/yr. This level of expense required a lengthy capex justification approval process. There was a category of users who didn’t need the software full time and since the software was tied to the dongle it was common to have the package installed on multiple workstations and borrow the dongle when needed.
The nature of our business was such that there was a lot of logic analyzers and signal tracing equipment in the lab and the dongle was reverse engineered and cloned after a couple of “where’d my dongle go” incidents.
Dongles still exist in the form of Nintendo Switch cartridges, though they're an extreme form that contains all the app logic, rather than just 7606h.
On Switch 2 there are also pure license dongles in the form of the Game-Key Card. https://en.wikipedia.org/wiki/Nintendo_Game_Card#Game-Key_Ca...
Cartridges and cd/dvds/ physical media with DRM were technically dongles.
I remember hearing a courier died overnighting a CAD dongle.
[dead]
[dead]
[dead]
[flagged]